Critical Error with Hide Backend Slug

@soportee

Ok, so this is probably what you are doing (Guessing because your problem description is not very clear):

Let’s assume the Hide Backend slug is set to: letmein

1. Access https://www.example.com/letmein
Result: Redirect to https://www.example.com/wp-login.php?itsec-hb-token=letmein
Dashboard login screen displays ok.

2. Access https://www.example.com/wp-login.php?itsec-hb-token=trumpisanidiot
Result: No redirect.
Dashboard login screen displays ok.

Step 2 works because at step 1 a itsec-hb-login-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx cookie was created in your browser which allows the regular (wp-login.php but also wp-admin url) to function for an hour. Only AFTER the cookie expires (> 1 hour), ANY wp-login.php url will no longer work (from the same browser).

So after cookie expiration you have to use https://www.example.com/letmein (or https://www.example.com/wp-login.php?itsec-hb-token=letmein) again.

Hello,

First of all thanks for the quick response.

You’ve relieved me a lot with the answer, and so it is. I tested the address on another internet browser and it worked perfectly.

All the fear came when I saw in the log table several incorrect logon attempts.

I’ll follow up.

Again, thank you very much.

Good weekend, my friend.

So… I have the same problem… and my native languaje is Spanish… let see if I got it…

iThemes Security still hides backend…!!!???
I am just having headaches because a cookie…!!!???

If I migrate from iTS 6.2.1 to iTS 6.4.0, then I will have a an error to access to my dashboard for 1 hour because there is a cookie with 1 hour expiration affecting the new redirection path..???

Regards Leon..!!

I’m getting the following error:

Forbidden

You don’t have permission to access /wp-login.php on this server.

What do I do now?

@markclifford

Temporarily deactivate the iTSec plugin.

If the issue persists it’s not an iTSec plugin issue.

It’s deffinately a problem with the plugin. I’m designing the login page at the moment using Ultimate Branding by WPMUDEV and after a while I get the forbidden error and I’m locked out. I removed everything to do with iTsec in the htaccess file and I could get access again.

Not sure what to do….

• This reply was modified 7 years, 3 months ago by Mark.

I’m guessing the constant reloading of the login page was casuing this error to happen. I’ll see if it appears when using the site normally….

• This reply was modified 7 years, 3 months ago by Mark.

@markclifford

(Missed your last post so this is just a reminder that my message below is a response to your earlier post).

Ok, I see.
Temporarily deactivating the iTSec plugin automatically clears any plugin rules added to the .htaccess file … No need to remove those lines manually ??

Hmm, looks like your IP is getting banned in the .htaccess file.
(Which means you cannot access any file … not just the wp-login.php file.)

Which is weird, because your IP is automatically whitelisted (temporarily for 24 hours) by the plugin when logging in as a user with the Administrator role. Or have you not at least logged in once as a user with the Administrator role assigned ?

Please provide the following info which will give me some context:

WordPress 4.8.1 ?
iTSec plugin 6.4.0 ?
Apache version ?
PHP version ?
Local dev env ?
Linux/Windows ?
Multi Site env ?

If it is indeed the plugin banning your IP you could permanently whitelist your IP in the plugin Global Settings module while you are still developing the login page.

• This reply was modified 7 years, 3 months ago by pronl. Reason: Added a short clarification of my post